Applying the Risk Assessment Standards Using a Case Study Approach

• Chapter 0 - Overview - Applying the Risk Assessment Standards
• Chapter 1 - Gaining an Understanding of the Entity and Its Environment
  • Learning Objectives
  • Introduction
  • Understanding the Entity and Its Environment
    • Gathering Information
    • Components of Understanding the Entity and Its Environment
    • Understanding the Entity's Industry and Related Regulations and Other External Factors
    • Nature of the Entity's Operations
    • Objectives and Strategies and Related Business Risks
    • Measurement and Review of Financial Performance
  • Internal Control over Financial Reporting
    • Control Environment
    • Entity's Risk Assessment
    • Control Activities
    • Monitoring
    • Information and Communication Systems
  • Entity Level Controls
    • Control Environment
    • Risk Assessment
    • Control Activities
    • Monitoring
    • Information and Communication
    • Anti-Fraud Programs and Controls
  • A Tool for Gathering Information about the Entity and Its Environment: Asking the Right Questions
    • Evaluating the Design of Entity-Level Controls and Assessing the Overall Risk at the Financial Statement Level
    • Preparing an Overall Response to the Overall Risk Assessment at the Financial Statement Level
  • Assessing the Risks of Material Misstatement at the Overall Financial Statement Level
    • Client Continuance or Acceptance
    • Planning Materiality
    • Results from Performing Preliminary Analytical Review Procedures
    • "Brainstorming" Session
    • Summary - Assessing Risks of Material Misstatement at the Overall Financial Statement Level
  • Responding to the Risk of Material Misstatement at the Overall Financial Statement Level
    • Developing an Overall Audit Strategy
    • Specialized Skills
  • Documenting the Auditor's Risk Assessment at the Overall Financial Statement Level and Response
    • Summary - Documenting the Auditor's Understanding of the Entity and Its Environment, Including Entity Level Controls
    • Issuing an Audit Planning Document
  • Summary
• Chapter 2 - Documenting the Auditor's Understanding of Internal Control over Financial Reporting
  • Learning Objectives
  • Introduction
  • Steps in the Documentation Process
    • Identifying Significant Accounts
    • Identifying Significant Underlying Processes
    • Routine Processes
    • Non-Routine and Estimation Processes
    • Information Technology (IT) Processes
    • Importance of IT Controls
  • Obtaining Documentation of Processes
    • Performing Walk-throughs of Significant Processes
    • Ask "What Could Go Wrong" Questions to Identify Key Controls
    • Identifying Preventive or Detective Controls
  • Using a "Control Matrix" Tool
  • Using a "Risk Assessment Summary" Tool
  • Inherent Risk, Control Risk, and Combined Risk
    • Audit Risk
    • Assessing Inherent Risk
    • Assessing Control Risk
    • Determining Whether to Test Controls
    • Combined Risk Assessment
    • Responding to the Combined Risk Assessment
    • Nature of Tests
    • Timing of Testing Procedures
    • Extent of Testing Procedures
    • Significant Risks That Require Special Audit Consideration
  • Summary
• Chapter 3 - Evaluating the Design Effectiveness of the Financial Statement Closing Process
  • Learning Objectives
  • Introduction
  • Components of the Financial Statement Closing Process
  • Financial Statement Closing Process Considerations Tool
    • Evaluating the Design Effectiveness of the FSCP
    • Testing the Operating Effectiveness of the FSCP
    • Documenting the FSCP
  • Summary
• Chapter 4 - Evaluating and Communicating Misstatements and Deficiencies in Internal Control
  • Learning Objectives
  • Introduction
  • Evaluating Misstatements
    • Impact of Misstatements
    • Known vs. Likely Misstatements
    • Differences in Accounting Estimates
    • Consideration of Prior Year Uncorrected Misstatements
    • Qualitative Factors
    • Uncorrected Misstatements
    • Summary of Uncorrected Misstatements
    • Communicating Misstatements
    • Documentation
  • Evaluating and Communicating Deficiencies in Internal Control
    • SAS No. 115
    • Deficiencies in Internal Control
    • Evaluating Deficiencies in Internal Control
    • Exceptions Identified During the Testing of the Operating Effectiveness of Internal Control
    • Evaluating Exceptions in the Design or Operating Effectiveness of Internal Control
    • Inconsequential Misstatements
    • Significant Deficiencies
    • Material Weaknesses
    • Nonattest Services, Internal Control over Financial Reporting, and Auditor Independence
    • Form of Communication
  • Conducting a Closing Meeting
  • Summary
• Chapter 5 - Latest Developments

753540

Chapter 0 - Overview - Applying the Risk Assessment Standards

This course focuses on the practical implementation of the AICPA Auditing Standards Board's (ASB) "risk assessment standards," SAS Nos. 104 through 111. Included throughout the text material are several examples presented to demonstrate how the auditor might document his or her procedures in a manner emphasizing critical thinking.

The ASB's risk assessment standards require the auditor to gain an understanding of the entity and its environment, including internal control, sufficient to assess the risk of material misstatements at the overall financial statement level and at the assertion level for significant accounts or groups of accounts and classes of transactions. The auditor is then required to develop an appropriate response at the overall financial statement level and at the account level.

Chapter 1, "Gaining an Understanding of the Entity and Its Environment," describes the components of understanding the entity and its environment. Such components include gathering information about the following:

- The entity's industry and related regulations and other external factors

- The nature of its operations

- Its objectives and related business risks

- How management measures and reviews financial performance

- Its internal control over financial reporting

Internal control includes five components as described by the COSO Integrated Framework:

1. Control environment

2. Entity's risk assessment

3. Information and communication

4. Control activities

5. Monitoring

Chapter 1 includes matters the AICPA PCPS Technical Issues Committee (TIC) has identified as "best practices" or practice application challenges. (TIC acts as an advocate for all local and regional firms and represents those firms' interests on professional issues.) Also included are case studies to demonstrate the practical application of the risk assessment standards.

Chapter 1 introduces the "Entity Wide Considerations Tool" as Exhibit 1-1. This tool presents questions intended to stimulate the information-gathering process to understand the entity, including its entity level or entity wide controls, as part of the process to assess the likelihood of a material misstatement at the overall financial statement or entity level. The questions have been scaled for non-complex, smaller audit entities, i.e., those requiring less than 300 audit hours. Further, the questions encompass the entity's industry conditions, the nature of its operations, its business and accounting risks, how its management measures and reviews financial performance, and the entity's internal control components at a high level. The auditor responds to the questions most relevant to make an informed assessment of the likelihood of a material misstatement at the overall financial statement or entity level. The auditor is encouraged to develop other questions pertinent to the entity's environment.

The auditor also responds to other inputs to make an informed assessment of the likelihood of a material misstatement at the overall financial statement level. Other inputs include the results of client continuance or acceptance procedures, planning materiality, results from performing preliminary analytical review procedures and results from the audit team "brainstorming" session.

The auditor then develops an overall response to the assessed risk of material misstatement at the overall financial statement level. The overall response includes estimating audit hours required, identifying significant accounts and locations, determining staffing needs (including specialists and experience requirements), and deciding on levels of supervision and review. In addition, the auditor decides on an overall audit approach (e.g., test and rely on controls or perform extensive substantive tests of account balances and classes of transactions), and the timing, nature and extent of other audit procedures.

Chapter 1 also includes a model labeled "Documenting the Auditor's Risk Assessment at the Overall Financial Statement Level and Response" as Exhibit 1-2 to demonstrate how the auditor documents his or her understanding of the entity and its environment and overall risk assessment and response at the financial statement level. The model presented was derived from an actual audit engagement.

At the end of Chapter 1, a summary of documentation typically resulting from the audit planning process is provided. The documentation includes an example of an "Audit Planning" document issued to those charged with governance as Exhibit 1-3. The example presented was derived from an actual audit engagement. The example presented has been used effectively for smaller audit engagements.

Chapter 2, "Documenting the Auditor's Understanding of Internal Control Over Financial Reporting," describes the steps in documenting the risk assessment process. Such steps include

- Identifying significant accounts.

- Identifying significant processes underlying significant accounts.

- Obtaining documentation of significant processes underlying significant accounts.

- Performing "walk-throughs" of significant processes.

- Asking "what could go wrong" (WCGW) questions to indentify key controls.

- Relating WCGW questions and controls to financial statement assertions.

- Identifying preventive or detective controls to mitigate potential misstatements.

- Assessing risk and evaluating control effectiveness. A case study addressing walkthroughs is included.

The TIC believes that there is some confusion in practice relating to the performance of walkthroughs. Examples of key WCGW questions for customary routine processes such as sales, cash receipts, purchasing and expenditures, cash disbursements and payroll are provided. These WCGW questions are related to financial statement assertions. A "Control Matrix Tool" is also provided to assist the auditor with the risk assessment process for routine processes. A partially completed control matrix is provided as Exhibit 2-2 for the sales process of a smaller entity.

The Control Matrix Tool supports another tool, referred to as the "Risk Assessment Summary Tool." The Risk Assessment Summary Tool captures the entity's significant accounts, the significant routine, and non-routine and estimation processes underlying those accounts, the related risk assessment (inherent, control and combined), and provides linkage to the responsive audit approach. Control risk includes the control design and its operating effectiveness. The Control Matrix Tool assists with the control risk assessment process. A completed Risk Assessment Summary for a smaller entity is provided as Exhibit 2-3. Exhibit 2-3 was derived from an actual audit engagement.

Chapter 2 also describes the considerations for evaluating the design of internal controls and for assessing inherent risk, control risk and combined risk. Combined risk is related to audit risk.

Throughout Chapter 2 is commentary from the TIC. At the end of Chapter 2 a summary of the several types of internal control documentation discussed in this chapter.

Chapter 3, "Evaluating the Design Effectiveness of the Financial Statement Closing Process," discusses the components of the financial statement closing process (FSCP). The components of the FSCP are addressed. A "FSCP Controls Consideration Tool" is provided as Exhibit 3-1. It has questions intended to stimulate the gathering of information to understand the entity's FSCP as part of the process to assess the likelihood of a material misstatement. These questions have been scaled for non-complex smaller audit entities, i.e., those requiring less than 300 audit hours. The auditor is encouraged to develop other questions relevant to the entity's FSCP. The auditor responds to the questions to make an informed assessment of the effectiveness of the design of the FSCP to prevent a material misstatement from occurring or detecting and correcting a material misstatement should one occur. The auditor then decides whether to test the operating effectiveness of controls over the FSCP, assesses risk of material misstatement during the FSCP, and develops a response to the assessed risk.

A model documenting a smaller entity's FSCP is provided as Exhibit 3-2. The model includes an evaluation of the design effectiveness and the auditor's planned response to the assessed risk. The model was derived from an actual audit engagement. Further, Exhibit 3-2 also shows how most non-routine and estimation processes may be effectively documented as an integral part of the FSCP for smaller audit entities. A key component of the FSCP is the account reconciliation and/or analysis of significant accounts. Also presented is a case study for a very small entity with limited accounting resources. This case study demonstrates how the auditor might document his or her understanding of the entity's FSCP, and his or her evaluation and tailored response.

For many smaller audit entities, the auditor will usually not test the operating effectiveness of the design of the FSCP process because it is not cost effective to do so. Regardless, the auditor is required to (1) agree the amounts in the entity's financial statements and their accompanying notes to the accounting records and (2) examine material journal entries made during the course of preparing the financial statements.

Chapter 4, "Evaluating and Communicating Misstatements and Deficiencies in Internal Control," discusses misstatements and deficiencies in internal control. A tool labeled Summary of Uncorrected Misstatements is presented as Exhibit 4-1. A substantially completed Summary of Uncorrected Misstatements tool is presented as Exhibit 4-2. Practical suggestions are included to reduce errors commonly made when evaluating misstatements. Chapter 4 also compares the definitions of a significant deficiency and material weakness under SAS No. 112 to SAS No. 115. Several case studies are included. One case study addresses uncorrected misstatements using the Summary of Uncorrected Misstatements tool. This case study demonstrates how the auditor evaluates uncorrected misstatements using both the "Income-Focused" approach and the "Balance Sheet-Focused" approach. Another case study addresses exceptions identified during tests of the operating effectiveness of controls. A third case study addresses evaluating the severity of deficiencies in internal control. A fourth case study addresses evaluating misstatements from a quantitative perspective.

Auditors commonly meet with their clients face to face to discuss the drafts of the audited financial statements and the results of the audit. Matters usually addressed include uncorrected misstatements, subjective accruals, difficulties encountered, revisions to audit scope, cooperation received, etc. An example of an "Audit Results" report used to document "required communications" is presented as Exhibit 4-3. The example presented was derived from a very small engagement and may be expanded to a much larger one.

753540